PatchSiren cyber security CVE debrief
CVE-2026-9181 Esri CVE debrief
CVE-2026-9181 is a critical directory traversal vulnerability in ArcGIS Server. An unauthenticated attacker could exploit this issue by sending crafted path parameters. Successful exploitation could allow access to sensitive files on the system. This issue impacts all versions of ArcGIS Server 12.0 and prior. The vulnerability has a CVSS score of 9.8, indicating a critical severity level. Organizations should prioritize patching to prevent potential unauthorized access to sensitive files.
- Vendor
- Esri
- Product
- ArcGIS Server
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-08
Who should care
Organizations using ArcGIS Server 12.0 and prior versions should prioritize patching this vulnerability to prevent potential unauthorized access to sensitive files. This includes operators, security teams, and vulnerability management teams responsible for maintaining and securing ArcGIS Server deployments.
Technical summary
The vulnerability exists due to improper handling of path parameters in ArcGIS Server. An attacker can exploit this vulnerability by sending crafted requests, potentially leading to access to sensitive files on the system. The CVSS score for this vulnerability is 9.8, indicating a critical severity level. There is no information on the root cause or specific exploit details beyond the provided CVSS score and vulnerability description.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by the vendor to vulnerable systems
- Restrict access to ArcGIS Server to only trusted users and networks
- Monitor ArcGIS Server logs for suspicious activity
- Implement additional security controls, such as web application firewalls
- Conduct regular vulnerability assessments and penetration testing
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-06T19:17:09.553Z and was last modified on 2026-07-08T03:09:46.867Z. The NVD entry is currently Analyzed. The evidence is limited, and defenders should verify the affected scope and severity with the vendor. The vulnerability exists in ArcGIS Server 12.0 and prior versions. There is no information on known or unknown affected scope beyond the provided details.
Official resources
-
CVE-2026-9181 CVE record
CVE.org
-
CVE-2026-9181 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T19:17:09.553Z and has not been modified since then. The NVD entry is currently Analyzed.